profiles: refactor electron.profile and electron-based programs

etc/profile-a-l/atom.profile

@@ -6,31 +6,27 @@ include atom.local
 # Persistent global definitions
 include globals.local
 
+# Disabled until someone reported positive feedback
+ignore include disable-devel.inc
+ignore include disable-interpreters.inc
+ignore include disable-xdg.inc
+ignore whitelist ${DOWNLOADS}
+ignore include whitelist-common.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore include whitelist-var-common.inc
+ignore apparmor
+ignore disable-mnt
+
 noblacklist ${HOME}/.atom
 noblacklist ${HOME}/.config/Atom
 
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
 
-include disable-common.inc
-include disable-exec.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-
-caps.keep sys_admin,sys_chroot
 # net none
 netfilter
-nodvd
-nogroups
 nosound
-notv
-nou2f
-novideo
-shell none
-
-private-cache
-private-dev
-private-tmp
 
-dbus-user none
-dbus-system none
+# Redirect
+include electron.profile

etc/profile-a-l/beaker.profile

@@ -3,17 +3,26 @@
 # Persistent local customizations
 include beaker.local
 # Persistent global definitions
-# added by included profile
-#include globals.local
+include globals.local
 
-noblacklist ${HOME}/.config/Beaker Browser
+# Disabled until someone reported positive feedback
+ignore include disable-exec.inc
+ignore include disable-xdg.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore include whitelist-var-common.inc
+ignore nou2f
+ignore novideo
+ignore shell none
+ignore disable-mnt
+ignore private-cache
+ignore private-dev
+ignore private-tmp
 
-include disable-devel.inc
-include disable-interpreters.inc
+noblacklist ${HOME}/.config/Beaker Browser
 
 mkdir ${HOME}/.config/Beaker Browser
 whitelist ${HOME}/.config/Beaker Browser
-include whitelist-common.inc
 
 # Redirect
 include electron.profile

etc/profile-a-l/discord-common.profile

@@ -6,33 +6,24 @@ include discord-common.local
 # added by caller profile
 #include globals.local
 
-ignore noexec ${HOME}
+# Disabled until someone reported positive feedback
+ignore include disable-interpreters.inc
+ignore include disable-xdg.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore apparmor
+ignore disable-mnt
+ignore private-cache
+ignore dbus-user none
+ignore dbus-system none
 
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
+ignore noexec ${HOME}
 
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.config/BetterDiscord
 whitelist ${HOME}/.local/share/betterdiscordctl
-include whitelist-common.inc
-include whitelist-var-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-nou2f
-novideo
-protocol unix,inet,inet6,netlink
-seccomp !chroot
 
 private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh
-private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl
-private-tmp
+
+# Redirect
+include electron.profile

etc/profile-a-l/electron.profile

@@ -3,25 +3,39 @@
 # This file is overwritten after every install/update
 # Persistent local customizations
 include electron.local
-# Persistent global definitions
-include globals.local
 
 include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
 whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+# Uncomment the next line (or add it to your chromium-common.local)
+# if your kernel allows unprivileged userns clone.
+#include chromium-common-hardened.inc
 
 apparmor
-caps.drop all
+caps.keep sys_admin,sys_chroot
 netfilter
 nodvd
 nogroups
-nonewprivs
-noroot
 notv
-protocol unix,inet,inet6,netlink
-seccomp
+nou2f
+novideo
+shell none
+
+disable-mnt
+private-cache
+private-dev
+private-tmp
 
 dbus-user none
 dbus-system none

etc/profile-a-l/freetube.profile

@@ -6,26 +6,22 @@ include freetube.local
 # Persistent global definitions
 include globals.local
 
+# Disabled until someone reported positive feedback
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore include whitelist-var-common.inc
+ignore nou2f
+ignore novideo
+
 noblacklist ${HOME}/.config/FreeTube
 
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
 include disable-shell.inc 
-include disable-xdg.inc
 
 mkdir ${HOME}/.config/FreeTube
 whitelist ${HOME}/.config/FreeTube
 
-seccomp !chroot
-shell none
-
-disable-mnt
 private-bin freetube
-private-cache
-private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
-private-tmp
 
 # Redirect
 include electron.profile

etc/profile-a-l/github-desktop.profile

@@ -6,43 +6,35 @@ include github-desktop.local
 # Persistent global definitions
 include globals.local
 
+# Note: On debian-based distributions the binary might be located in
+# /opt/GitHub Desktop/github-desktop, and therefore not be in PATH.
+# If that's the case you can start GitHub Desktop with firejail via
+# `firejail "/opt/GitHub Desktop/github-desktop"`.
+
+# Disabled until someone reported positive feedback
+ignore include disable-xdg.inc
+ignore whitelist ${DOWNLOADS}
+ignore include whitelist-common.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore include whitelist-var-common.inc
+ignore apparmor
+ignore dbus-user none
+ignore dbus-system none
+
 noblacklist ${HOME}/.config/GitHub Desktop
 noblacklist ${HOME}/.config/git
 noblacklist ${HOME}/.gitconfig
 noblacklist ${HOME}/.git-credentials
 
-include disable-common.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-
-caps.drop all
-netfilter
 # no3d
-nodvd
-nogroups
-nonewprivs
-noroot
 nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6,netlink
-seccomp !chroot
 
-# Note: On debian-based distributions the binary might be located in
-# /opt/GitHub Desktop/github-desktop, and therefore not be in PATH.
-# If that's the case you can start GitHub Desktop with firejail via
-# `firejail "/opt/GitHub Desktop/github-desktop"`.
-
-disable-mnt
 # private-bin github-desktop
-private-cache
 ?HAS_APPIMAGE: ignore private-dev
-private-dev
 # private-lib
-private-tmp
 
 # memory-deny-write-execute
+
+# Redirect
+include electron.profile

etc/profile-a-l/jitsi-meet-desktop.profile

@@ -6,34 +6,22 @@ include jitsi-meet-desktop.local
 # Persistent global definitions
 include globals.local
 
+# Disabled until someone reported positive feedback
+ignore nou2f
+ignore novideo
+ignore shell none
+
 ignore noexec /tmp
 
 noblacklist ${HOME}/.config/Jitsi Meet
 
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-xdg.inc
-
 nowhitelist ${DOWNLOADS}
 
 mkdir ${HOME}/.config/Jitsi Meet
-
 whitelist ${HOME}/.config/Jitsi Meet
 
-include whitelist-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-runuser-common.inc
-include whitelist-var-common.inc
-
-seccomp !chroot
-
-disable-mnt
 private-bin bash,jitsi-meet-desktop
-private-cache
-private-dev
 private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
-private-tmp
 
 # Redirect
 include electron.profile

etc/profile-m-z/nuclear.profile

@@ -10,31 +10,16 @@ ignore dbus-user
 
 noblacklist ${HOME}/.config/nuclear
 
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
 include disable-shell.inc 
-include disable-xdg.inc
 
 mkdir ${HOME}/.config/nuclear
 whitelist ${HOME}/.config/nuclear
-include whitelist-common.inc 
-include whitelist-runuser-common.inc 
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
 
 no3d
-nou2f
-novideo
-shell none
 
-disable-mnt
 # private-bin nuclear
-private-cache
-private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-opt nuclear
-private-tmp
 
 # Redirect
 include electron.profile

etc/profile-m-z/riot-web.profile

@@ -4,14 +4,28 @@
 # Persistent local customizations
 include riot-web.local
 # Persistent global definitions
-# added by included profile
-#include globals.local
+include globals.local
+
+# Disabled until someone reported positive feedback
+ignore include disable-devel.inc
+ignore include disable-exec.inc
+ignore include disable-interpreters.inc
+ignore include disable-xdg.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore include whitelist-var-common.inc
+ignore nou2f
+ignore novideo
+ignore shell none
+ignore disable-mnt
+ignore private-cache
+ignore private-dev
+ignore private-tmp
 
 noblacklist ${HOME}/.config/Riot
 
 mkdir ${HOME}/.config/Riot
 whitelist ${HOME}/.config/Riot
-include whitelist-common.inc
 
 # Redirect
 include electron.profile